North Korean hackers siphon more than $12 million from crypto users in sprawling campaign

Incident responders uncovered troves of new information on a recent North Korean campaign targeting the cryptocurrency holdings of web developers.

Expel’s Marcus Hutchins published a report on a group he called HexagonalRodent, linking the operation to North Korean state-backed actors tracked as “Famous Chollima.”

Hutchins said the group stole up to $12 million in cryptocurrency in the first three months of 2026 through malware attacks on personal devices. The hackers used an array of malware strains – including BeaverTail, OtterCookie and InvisibleFerret – to extract funds from 26,584 cryptocurrency wallets held on 2,726 infected systems. 

Hutchins said their investigation began in October, when they were looking into a BeaverTail malware infection on a customer network. Both BeaverTail and InvisibleFerret were previously linked to hackers from North Korea by other incident response firms. 

The investigation led them to infrastructure created by the threat actors, which offered a glimpse into how the operation functioned from the inside. 

The threat actors behind the campaign targeted Web3 developers with high-paying job offers, reaching out through LinkedIn while posing as fake companies. In one instance, the hackers even registered a fake company in Mexico as part of their effort to convince job seekers. 

Hutchins said the threat actors used generative AI to not only refine the malware code but to create fake companies and LinkedIn accounts that could be used to offer the fake jobs. 

After contacting a developer with a fake job offer, victims were asked to download a coding assessment tool that is laced with malware. 

Expel researchers gained access to an internal panel used by the group to capture metrics associated with BeaverTail. The malware allows hackers to exfiltrate credentials from password managers, the macOS Keychain and more. 

Internal documents showed that the HexagonalRodent campaign is split among 31 hackers on six different teams. There is evidence that past members of HexagonalRodent split off to form their own operations. 

Smaller attacks

The Expel findings are another example of North Korea’s diverse approach to stealing cryptocurrency. In addition to the high-profile attacks on crypto exchanges involving hundreds of millions of dollars, multiple North Korean operators are focused on siphoning relatively small amounts of funds from everyday users. 

“For the past four years, the tech industry has been flooded with mass-layoff after mass-layoff. This has likely heavily impacted DPRK’s fraudulent IT worker scheme, forcing them to reallocate resources towards other means of generating revenue,” Hutchins said. 

“With so many software engineers out of work, and so few job opportunities available, it makes it all the more easier for North Korean state-sponsored hackers to ensnare targets. With developers applying to hundreds or thousands of jobs without receiving a call back, they’re likely to have their guard down when that one job offer finally comes in.”

The report comes days after North Korea’s government was accused of launching two separate crypto heists that allowed them to steal more than $280 million from each platform.

Cybersecurity companies continue to warn the cryptocurrency industry that North Korea’s hackers have dedicated teams specifically targeting developers with malware.  

Last week, Microsoft uncovered a North Korean campaign targeting macOS that allowed hackers to steal cryptocurrency assets and harvest credentials. Another company identified a Pyongyang-led campaign this week involving fake meetings that also targeted macOS.